2018-05-29 More Emotet Malspam

Quick post for today. Looks like some more Emotet maldocs. As usual, these two dealt with an invoice of some sort. While the sender is not the same in both instances, and the hash of the attachments are different as well, they both end up using the same URLs to download the malicious binary.

Analysis:
=========
Nothing really special about these maldocs. They are using macros within a Word document to launch the malicious code. As seen below, the process tree from ProcMon is pretty straight forward.

Once the macro is run, Powershell is immediately started with the following command:

*NOTE:* I managed to do this by referencing an old trick that I documented in this blog post. I will walk through how I did it here as well (to save you a click).

So the above Powershell command starts off with “something” base64 encoded as denoted by the “-e” which is one of many ways of writing that command. The trick here is to run this through Powershell and have it do the heavy lifting for you (aka: deobfuscating it). With that being said, first I took the base64 encoding and converted it using CyberChef as seen here. Once I had decoded it to somewhat human-readable text, I copied the output, opened Powershell ISE on my VM and pasted the output using the “write-host” command-let:

From here we can see the calls to fotofolly[.]com and to maisbrasilphoto[.]com.br. The domain fotofolly[.]com is over HTTPS so nothing can be observed there. The call to maisbrasilphoto[.]com.br returns a binary as seen below:

We then also see a GET request to the following IP address over HTTPS: 74[.]137[.]102[.]161. Since this is over HTTPS not much can be seen here either. All I know is that once the malware was up and running for a while, I saw the process “markerswwa.exe” communicating with this IP over HTTPS.

2 Comments

“The domain fotofolly[.]com is over HTTPS so nothing can be observed there.” you can setup Sessions Key Logging in your VM browser to start logging the symmetric session key (used to encrypt TLS/SSL traffic) to a file. Then using Wireshark you can simply decode encrypted request/responses.
Regards